Stealthy Tracking of Autonomous Vehicles with Cache Side ... · Stealthy Tracking of Autonomous...
Transcript of Stealthy Tracking of Autonomous Vehicles with Cache Side ... · Stealthy Tracking of Autonomous...
Stealthy Tracking of Autonomous Vehicles with Cache Side Channels
Mulong Luo, Andrew C. Myers, G. Edward SuhCornell University29th USENIX Security Symposium 2020
Photos, illustrations, graphics here.
Cornell University
2
Privacy in Cyber-Physical Systems (CPS)• Autonomous vehicles and other CPS (e.g.
UAV) are widely used
• Privacy in CPS involves in physical information (e.g., location)
• CPS as computer systems, are vulnerable to cache side-channel attack
Autonomous cars 1
UAV 2
1. waymo.com2. dji.com
Cornell University
3
• We identified CPS as victims that can expose physical privacy information– Traditional victims of cache side-channel attack usually leaks
non-physical information (e.g., crypto keys)
• We showed adaptive algorithms whose computation depends on inputs in CPS are vulnerable to cache side-channel attack
• We demonstrated a concrete example of cache side-channel attack on autonomous vehicles for route prediction
Main Contributions
Photos, illustrations, graphics here.
Cornell University
4
Threat Model• Attack software shares
computer with victim software on the vehicle under attack
• Attack software has no permission to access location service (e.g., GPS)
• Attack software uses cache side-channel attack to infer the route of the vehicle from a set of known routes
Hospital
Airport
Restaurant
Attack software
CacheComputer
Home
Victim software GPS
Denied!
Photos, illustrations, graphics here.
Cornell University
5
Autonomous Vehicle Systems• Main components
– Sensors– Actuators– Computer
• Major navigation tasks– Estimation/localization
software– Control/decision software
GPS driver
Lidardriver
Controllerdriver
State estimation
Path planning
Collision avoidance
LTE/5Gdriver
Info-tainment
Video recording
Onboard computer
Navigation stack
OS kernel space
Utility stack
Remote control server
Cameradriver
GPS receiver
Lidar
Camera
LTE/5GAthena
Steering controller
Throttlecontroller
Brakecontroller
Sensors/Info collectors Actuators/command executors
USB/PCIe/GPIO/CAN
Syscalls
Cornell University
6
• Adaptive Monte-Carlo Localization (AMCL): memory access pattern is affected by the physical sensor inputs
• Cache side-channel attack is used to extract the memory access patterns
• Machine learning (ML) models are used to infer the number of AMCL samples and the route of the vehicle
Attack Outline
AMCL MLCache side channel
ML
Mem
ory
acce
ss
Sens
or
input
#AM
CL
sam
ples
Predict
ed
route
Photos, illustrations, graphics here.
Cornell University
7
Adaptive Monte-Carlo Localization (AMCL)• Input: sensor image, and a map• Output: location on the map• Process:
– Randomly sample locations on the map, calculate the similarity with the sensor image
– Use k-means to find cluster center• Adaptivity: the number of samples varies
adaptively depending on uncertainty1
– High curvature (uncertainty) à more AMCL samples à more memory access
Sensor image
10%
90%
30%
map
80 100 120 140 160time (s)
0
5000
10000
15000
Numb
er of
partic
les
0
2
4
6
8
10
Curva
ture o
f the t
race
(1/m
)
10 5
time (s)
Num
ber o
f AM
CL
sam
ples
Cur
vatu
re (1
/m)
1.D. Fox. Adapting the sample size in particle filters through KLD-sampling. IJRR, 22(12):985–1003, 2003.
Cornell University
8
• Adaptive Monte-Carlo Localization (AMCL): memory access pattern is affected by the physical sensor inputs
• Cache side-channel attack is used to extract the memory access patterns
• Machine learning (ML) models are used to infer the number of AMCL samples and the route of the vehicle
Attack Outline
AMCL MLCache side channel
ML
Mem
ory
acce
ss
Sens
or
input Pred
icted
route#AM
CL
sam
ples
Photos, illustrations, graphics here.
Cornell University
9
Cache Side-Channel Attack• Sharing of cache• Memory accesses patterns
from AMCL are left in the cache
• Attack program access the cache and infer AMCL accesses through timing– Prime+probe
CPU
Cache
Memory owned by AMCL
Memory owned by attacker
AMCL Attack program
Main memory
Photos, illustrations, graphics here.
Cornell University
10
Cache Prime+Probe• For each prime+probe trial
– Probe each cache set and
record the probing time
– High probing time (dark
cell) à cache set
accessed by a victim
– #dark cells à #AMCL
samples
• ML model to predict number
of samples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30Prime+probe trial
123456789
10111213141516
Cache set index
Probing Time (cycles)
50
100
150
200
250
300
350
400
450
500
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Prime+probe trial
123456789
10111213141516
Cac
he s
et in
dex
Probing Time (cycles)
50
100
150
200
250
300
350
400
450
500
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Prime+probe trial
123456789
10111213141516
Cac
he s
et in
dex
Probing Time (cycles)
50
100
150
200
250
300
350
400
450
500...
...C
ache s
et in
dex (
1-6
4)
Prime+probe trial
...
...
Cornell University
11
• Adaptive Monte-Carlo Localization (AMCL): memory access pattern is affected by the physical sensor inputs
• Cache side-channel attack is used to extract the memory access patterns
• Machine learning (ML) models are used to infer the number of AMCL samples and the route of the vehicle
Attack Outline
AMCL MLCache side channel
ML
Mem
ory
acce
ss
Sens
or
input Pred
icted
route#AM
CL
sam
ples
Photos, illustrations, graphics here.
Cornell University
12
ML Model: #AMCL Samples Predictor• Formulated as a binary
classification problem– Input: a window of cache
probing time matrix– Output: two classes {High,
Low} representing the number of samples
– RUSBoost1 binary predictor is used
Cac
he s
et in
dex
1
64
…
Window size
…5 6 4……2 1 4……3 4 5……3 2 1……5 5 5……..…1 2 5… N
umbe
r of s
ets
Num
ber o
f sam
ples
time
time
High
Low1.C. Seiffert, et al., "RUSBoost: Improving classification performance when training data is skewed," 2008 ICPR.
Cornell University
13
• Adaptive Monte-Carlo Localization (AMCL): memory access pattern is affected by the physical sensor inputs
• Cache side-channel attack is used to extract the memory access patterns
• Machine learning (ML) models are used to infer the number of AMCL samples and the route of the vehicle
Attack Outline
AMCL MLCache side channel
ML
Mem
ory
acce
ss
Sens
or
input Pred
icted
route#AM
CL
sam
ples
Photos, illustrations, graphics here.
Cornell University
14
ML Model: Route Predictor• Formulated as a
classification problem– Input: a series of {High,
Low} which indicates the number of samples
– Output: label of the route– Decision tree/forest is
used
Low
High
6
8
9Low
High
HighLowLow
8
time
3
High
High
Low
Num
ber o
f sa
mpl
es
Photos, illustrations, graphics here.
Cornell University
15
Evaluation: Datasets• Two datasets used
– Gazebo/ROS1
• Simulated robot in a maze – Oxford2
• Data collected on a car driving around Oxford, UK
• Processors for evaluation– Intel i5-3317u, and Intel Xeon E5-
1270 (recommended by Apollo3)1. http://gazebosim.org/2. https://robotcar-dataset.robots.ox.ac.uk/3. https://apollo.auto Oxford
Gazebo/ROS simulation maze
Cornell University
16
• 7 randomly-selected routes with similar lengths
• Perform route prediction using L1D or LLC probing data
– Accuracy: L1D: 81.4%, LLC 75%
Evaluation: Route Prediction - Gazebo
Maze and 7 routes L1D prediction results LLC prediction results
Cornell University
17
• 7 routes with similar lengths from the Oxford dataset
• Perform route prediction using L1D or LLC probing data
– Accuracy: L1D: 74.6%, LLC 73.0%
Evaluation: Route Prediction - Oxford
Oxford dataset and
seven routes
L1D prediction results LLC prediction results
Cornell University
18
• Evaluation: Host-client testbed architecture (Section 5.1.1)
• Location prediction (Section 5.3.2)
• L1D & LLC comparison (Section 5.3.3)
• Discussion (Section 6)
– Processor architecture (Section 6.1)
– Generality of the vulnerability (Section 6.2)
– Limitations of the attack model (Section 6.3)
– Difficult-to-predict routes (Section 6.4)
More In the Paper…
Cornell University
19
• We identified CPS as victim that can expose physicalprivacy information
• We showed adaptive algorithms in CPS are vulnerable to cache side-channel attack
• We demonstrated a concrete example of cache side-channel attack on autonomous vehicles for route prediction
• Cache side-channel protection necessary for strong CPS physical privacy
Conclusion